POWER-USER

Modern laptops are stolen daily. Without full-disk encryption, the thief gets a wide-open book: your tax returns, saved passwords, browsing history, business files. With it, they get a hunk of expensive aluminum and gibberish data.

iPhones and modern Androids encrypt by default. Macs and Windows machines do NOT — encryption is offered but takes a setting. Most laptops in the wild remain unencrypted because their owner never enabled it.

By the end of this guide your Windows machine will have BitLocker properly configured (with TPM and a PIN), your Mac will have FileVault on (with a recovery key safely stored), and your external drives will be encrypted too. Total time ~30 minutes.

Quick Snapshot

Why This Matters

Physical theft is dramatically more common than internet hacking for everyday users. According to FBI Crime Statistics, electronics are involved in a large share of US property crime annually.

Without encryption, a stolen laptop becomes a remote-controlled identity theft kit. The thief plugs the drive into another machine and reads everything — including saved browser passwords, which they then test on every site you used.

BitLocker (Windows) and FileVault (macOS) are built-in, free, and modern-grade. There’s no reason a personal or business laptop should run without one of them in 2026.

Before You Start

Have your password handy. Encryption ties data to your account password — forgetting it after enabling encryption means permanent data loss without the recovery key.

Have a place to safely store the recovery key. Each OS generates one. Save in your password manager AND print a copy for a fireproof safe or safety deposit box.

Plan for initial encryption time — on large drives this can run for several hours in the background while you work. The drive remains usable throughout.

Step 1 — Windows: Check Device + BitLocker Eligibility

Press Win + R, type tpm.msc, press Enter. If you see ‘TPM is ready for use,’ you’re good. Windows 11 requires TPM 2.0 — you should be fine on modern hardware.

Check edition: Settings → System → About. BitLocker requires Pro / Enterprise / Education. Home edition uses Device Encryption (similar, slightly less configurable).

Step 2 — Windows Pro: Turn On BitLocker

Control Panel → System and Security → BitLocker Drive Encryption → Turn on BitLocker. Choose how to back up the recovery key: Microsoft account (convenient), USB drive (offline), file (encrypted backup), or print.

Critical: save the recovery key in MULTIPLE places. Without it, any Windows hiccup that requires recovery becomes permanent data loss.

Step 3 — Windows: Configure BitLocker With PIN (Recommended)

Default BitLocker uses TPM-only (unlocks on power-up). Better: TPM + PIN, so booting requires both the chip and a PIN you type. Open Local Group Policy Editor (gpedit.msc) → Computer Configuration → Administrative Templates → Windows Components → BitLocker → Operating System Drives → Require additional authentication at startup. Enable it.

Then reconfigure BitLocker: manage-bde -protectors -add C: -TPMandPIN in an admin command prompt. Set a 6-20 digit PIN.

Step 4 — Windows Home: Use Device Encryption

Settings → System → About → Device specifications — look for Device Encryption section. If present, turn it on.

Device Encryption requires Microsoft account sign-in (recovery key goes there). Less flexible than full BitLocker but free and effective.

Step 5 — macOS: Turn On FileVault

System Settings → Privacy & Security → FileVault → Turn On. macOS asks how to handle recovery: store with iCloud (convenient) or generate a separate recovery key (more secure).

If you choose recovery key: save it to your password manager AND print a copy. Lose both and you lose access to a drive that can’t be recovered.

Step 6 — Encrypt External Drives

macOS: right-click an external drive in Finder → ‘Encrypt [DriveName]’. Set a passphrase. The drive becomes unreadable without it.

Windows: File Explorer → right-click the drive → Manage BitLocker → Turn on BitLocker. Same recovery-key flow as the system drive.

Step 7 — Save Recovery Keys Safely

Recovery keys are long alphanumeric strings. Save to: (1) your password manager’s secure notes, (2) a printed copy in a fireproof safe, (3) optionally, a copy with a trusted family member offsite.

Test that you can find and read each copy. Test before you need it — under recovery stress is the wrong time to discover a key was lost.

Step 8 — Monthly Verification

Add a 5-minute monthly task: check that encryption is still on (Settings → Update & Security → Device Encryption on Windows; System Settings → Privacy & Security → FileVault on macOS).

Some Windows updates have been known to disable BitLocker temporarily. Rare but worth catching.

If you stop here, you have already done more for your security than 95% of people. If you want to go further, the next section is for you.

If You Want To Go Further: Power-User Upgrades

Power-User Upgrade #1 — Use VeraCrypt For Cross-Platform Encrypted Volumes

VeraCrypt creates encrypted containers that mount on Mac, Windows, and Linux.

Trade-off: more complex than OS-native options.

Power-User Upgrade #2 — Encrypt Removable USB Sticks Always

USB sticks are easy to lose. Encrypt every one before use.

Trade-off: occasional inconvenience with shared computers.

Power-User Upgrade #3 — Set Up A Hardware-Encrypted External Drive

Drives like Apricorn Aegis have hardware encryption built in — no software dependency.

Trade-off: $150+ per drive.

Power-User Upgrade #4 — On Linux: Use LUKS For Full-Disk Encryption

Standard Linux disk encryption, supported by most distros at install time.

Trade-off: requires distro setup choices.

Power-User Upgrade #5 — Use A YubiKey Or Smart Card For FileVault Unlock

macOS supports smart card authentication, including YubiKey, instead of password.

Trade-off: configuration complexity.

Power-User Upgrade #6 — Audit Encryption Status Across Multiple Devices

For business: tools like Jamf (Mac) and Intune (Windows) report which devices are encrypted across a fleet.

Trade-off: MDM cost.

Common Mistakes & Pitfalls

Mistake — Storing the recovery key only in your password manager — and forgetting the master password.

Fix — Two-different-locations rule.

Mistake — Skipping encryption on the external backup drive.

Fix — Easier target than the laptop.

Mistake — Forgetting to enable BitLocker after a Windows reinstall.

Fix — Quarterly verification catches this.

Mistake — Believing ‘login password protects my data.’

Fix — Without encryption, the login is bypassed by removing the drive.

Mistake — Not encrypting before storing sensitive data.

Fix — Encrypt FIRST. Adding files to an unencrypted drive then encrypting later may leave traces of plaintext.

Mistake — Sharing the recovery key over email.

Fix — Email is unencrypted. Send via password-manager-shared item or in person.

Mistake — Using the same password as your Windows login.

Fix — If one is shoulder-surfed, both compromised.

Pro Tips

Pro tip 1. Run manage-bde -status in admin command prompt to see BitLocker state across all drives.

Pro tip 2. Use Bitlocker-To-Go for USB sticks specifically — works the same as system BitLocker.

Pro tip 3. On macOS: fdesetup status in Terminal confirms FileVault state.

Pro tip 4. Set encryption-enabled to a startup check via PowerShell on Windows; alerts you to changes.

Pro tip 5. When selling or donating a computer, full-disk-encrypt FIRST then re-image — leaves no recoverable data.

Frequently Asked Questions

Will Encryption Slow My Computer?

Modern CPUs have hardware AES support; the slowdown is imperceptible (single-digit %).

What If I Forget My Password After Encrypting?

Use your recovery key. Without it, the data is permanently unrecoverable. This is the point of encryption.

Should I Use Microsoft Account Or Local Account On Windows With BitLocker?

Microsoft account is easier (recovery key auto-saved). Local account is more private (recovery key only where you store it).

Can The FBI Or Someone With A Warrant Decrypt My Drive?

Encryption is mathematically strong. Authorities typically use compelled disclosure or device-cracking tools (like Cellebrite). Use of a strong passphrase + iOS/Android secure enclave or TPM PIN materially raises the bar.

Is Hardware-Encrypted USB Safer Than Software?

Marginally for theft scenarios. Software encryption is generally easier to verify and update.

What Happens If My Drive Fails?

Encryption itself doesn’t change drive failure odds. Your backups are what matter. Always have encrypted backups.

Can I Encrypt Only Specific Folders, Not The Whole Drive?

Yes — VeraCrypt creates encrypted folder containers. But for laptop theft, full-disk is much stronger.

Quick Recap — Do These In Order

Mini Glossary

BitLocker: Windows full-disk encryption.

FileVault: macOS full-disk encryption.

TPM: Trusted Platform Module — chip storing crypto keys.

Recovery key: Long string that unlocks the drive if you forget your password.

AES: Advanced Encryption Standard — the underlying cipher.

VeraCrypt: Cross-platform encrypted-volume tool.